New ¿Where Is My Data? Report: Five Years of Holding ISPs Accountable in Colombia

New ¿Where Is My Data? Report: Five Years of Holding ISPs Accountable in Colombia

Five years have passed since Colombian digital rights NGO Fundación Karisma launched its first annual ¿Dónde Están Mis Datos? assessing telecommunication companies’ commitment to transparency and user privacy. Since then, we’ve seen major telecom companies providing more transparency about how and when they divulge their users’ data to the government. This project is part of aregion-wide initiative akin to EFF’sWho Has Your Back? by Latin American and Spanish NGOs. So far, nine countries have joined this project kicked off in 2015 withKarisma’s first report.

When Karisma started the reports in 2015, none of the ISPs published any transparency report or any aggregate data about the number of data requests they received from governments. Five years later, the country’s main ISPs, such as Telefónica-Movistar and Claro, periodically disclose government transparency reports. This is a big win for transparency and users’ rights. Companies' privacy policies have also shown progress over the years, with more useful information being better provided to users on data retention, collection, and processing.

This year’s fifth edition featured six ISPs. Telefónica-Movistar shows the best rating, followed by Millicom-Tigo and Claro. Telefónica-Movistar and Claro improved their scores from theprevious edition, with notable improvements in providing information about content blocking. The former also stands out in digital security. Poorly rated in this category in 2018, Telefónica-Movistar is the only company to earn the full score this year. Millicom-Tigo, however, disappointed for not publishing an updated transparency report with specific data from Colombia. ETB and DirecTV show an intermediate position, rating slightly less than the last edition, while EMCALI remains behind.

Throughout the annual editions of this report, the public-private shares company ETB has led significant shifts, showing openness to change and to uphold users’ rights. However, this year’s edition shows the ISP has to double down on its commitments if it wants to catch up with the two best-ranked companies.

An Outline of the 2019 Edition of ¿Where Is My Data?

The new report evaluates the same companies of the previous one with the exception of Telebucaramanga, a local ISP acquired by Telefónica-Movistar in 2018. It has also toughened some of the assessment criteria. For example, regarding transparency reports, companies should not only publish them periodically, but also include more detailed information on government data and content blocking requests. New parameters in the privacy category also require ISPs' policies to provide greater detail about personal data collection, processing, and retention obligations and practices. Moreover, ISPs’ internal procedures to hand over users’ data to investigation authorities should contain human rights safeguards in addition to being publicly available.

The report’s main findings are below. The full study with a detailed evaluation for each company is availablein Spanish.

Each ISP was assessed in the following four categories: political commitments, privacy, freedom of expression, and digital security.

In the political commitment category, the report assesses, among other things, if the ISPs publish transparency reports with detailed information about government data and content blocking demands. In this category, Telefónica-Movistar and Claro meet all the parameters. ETB is right behind, but still doesn’t provide clear and detailed information about traffic and subscriber data, communications interception, and content blocking requests. Millicom-Tigo, DirecTV, and EMCALI fall short in this category, receiving the lowest score.

AT&T, DirecTV’s parent company, publishes a global transparency report, but it doesn’t provide specific information on requests received by the Colombian branch. As for Millicom-Tigo, thelast transparency report the ISP published detailing Colombia’s government data and content blocking requests refers to 2017.2018 and2019 information can be found in more recent reports, but they aren't available in the Colombian website and the figures are shown only per region. For South America, the reports aggregate data requests from Colombia, Paraguay, and Bolivia. Suchreports, however, highlight that the country’s authorities demand direct access to companies’ mobile networks, preventing them from knowing the number of interception measures carried out in their mobile lines. By making the number of interception requests a requirement, this year’s report seeks to verify whether companies come clean about this surveillance practice. In essence, Millicom-Tigo, Telefónica-Movistar, and Claro explicitly mention this is taking place in Colombia.

Regarding privacy commitments, ISPs should publish data protection policies on their Colombian website detailing which data the company collects, how they are used, with whom they are shared, and for what reasons. They should also publicly disclose the legal obligation to retain users’ data and which data is retained and for how long, as well as the law enforcement guidelines followed when handing users’ data to government authorities. Finally, they should commit to notifying their users about government data requests.

Under this year’s stricter requirements for this category, no company received the full score. Telefónica-Movistar ranks best, followed by Claro, DirecTV,and Millicom-Tigo. DirecTV is the only one that mentions notifying users about government data requests, although the company's policy describes it more as a “possibility” rather than as a commitment. In turn, Movistar and Claro best describe the procedure followed when handing users’ data to authorities.

For freedom of expression, companies should clarify the cases in which they have the legal duty to block content, and publish the procedures they adhere to when blocking content for legal or contractual reasons. They should inform users about the reason for the blocking and provide an appeals mechanism. Finally, they should provide public guidelines so that users know their rights and the rules they are expected to follow.

This year's criteria push ISPs to shed light on how content blocking obligations are applied. Requests to block content may come from a judicial order, or the enforcement of legal online content restrictions regarding child exploitation and gambling. Companies have significantly improved the provision of such information compared to the previous edition, especially on child exploitation. Both Telefónica-Movistar and Millicom-Tigo earned the full score for detailing legal information, publishing the procedures they adhere to when blocking content, offering due process mechanisms, and providing public guidelines for users. Claro and ETB are a little behind, but still with good marks. Unlike the previous edition, Claro scored this year for providing public guidelines for its users.

Finally, on digital security, the report assesses whether the ISPs commit to notifying competent authorities and users in the case of a data breach, and if they disclose which measures the company can take to mitigate harms. Also, the report verifies whether ISPs use secure data transmission protocols (HTTPS) on their websites.

Telefónica-Movistar is the one that best provides information on how it addresses security incidents, and makes an explicit commitment to notify the country’s data protection authority about them.

These five years of Colombia’s reports have shown continuous progress, indicating that many ISPs have become more aware of their critical role in protecting users. As the report points out, companies’ enhanced commitments on transparency, due process, and user privacy are crucial to empower groups and individuals in knowing and exercising their rights.

Related Updates

The full weight of U.S. policing has descended upon protesters across the country as people take to the streets to denounce the police killings of Breonna Taylor, George Floyd, and countless others who have been subjected to police violence. Along with riot shields, tear gas, and other crowd control...

Your phone is your life. It’s where you communicate, get your news, take pictures and videos of your loved ones, relax and play games, and find a significant other. It can track your health, give you directions, remind you of events, and much more. It’s an incredibly helpful tool, but...

EFF has joined a broad coalition of civil liberties, civil rights, and labor advocates to oppose A.B. 2261, which threatens to normalize the increased use of face surveillance of Californians where they live and work. Our allies include the ACLU of California, Oakland Privacy, the California Employment Lawyers Association, Service...

In the wake of nationwide protests against the police killings of George Floyd and Breonna Taylor, we urge protestors to stay safe, both physically and digitally. Our Surveillance Self Defense (SSD) Guide on attending a protest offers practical tips on how to maintain your privacy and minimize your digital...

With states beginning to ease shelter-in-place restrictions, the conversation on COVID-19 has turned to questions of when and how we can return to work, take kids to school, or plan air travel.Several countries and U.S. states, including the UK, Italy, Chile, Germany, and California, have expressed interest in...

When it comes to surveillance of our online lives, Internet service providers (ISPs) are some of the worst offenders. Last year, the state of Maine passed a law targeted at the harms ISPs do to their customers when they use and sell their personal information. Now that law is...

COVID-19, and containment efforts that rely on personal data, are shining a spotlight on a longstanding problem: our nation’s lack of sufficient laws to protect data privacy. Two bills before Congress attempt to solve this problem as to COVID-19 data. One is a good start that needs improvements. The other...

In a landmark decision, the German Constitutional Court has ruled that mass surveillance of telecommunications outside of Germany conducted on foreign nationals is unconstitutional. Thanks to the chief legal counsel, Gesellschaft für Freiheitsrechte (GFF), this a major victory for global civil liberties, but especially those that live and...